From: <Saved by Microsoft Internet Explorer 5>
Subject: What is RPCSS.EXE?
Date: Thu, 21 Nov 2002 14:09:53 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_0000_01C29167.A9CA9480";
	type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://www.cexx.org/rpc.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>What is RPCSS.EXE?</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<META content=3DGuest name=3DAuthor><!-- Hey Bill! If you can see this, =
please run SiteWide to update the info tags, ya dope! --><!-- SiteWide =
Meta-Info --><!-- #AltDesc=3DWhat is RPCSS.EXE? --><!-- =
#AuthorName=3DPatrick Chipman --><!-- #DateCreate=3D04-17-2001 --><!-- =
#DateModify=3D04-17-2001 --><!-- #Description=3Drpcss.exe explanation =
--><!-- #Keywords=3Drpcss.exe, rpc, unknown --><!-- =
#Section=3DAdverspamming.Spyware --><!-- #AuthInfo=3DFILE:rpcss.txt =
--></HEAD>
<BODY text=3D#ffffff vLink=3D#cc66cc aLink=3D#ff0000 link=3D#ffcc00 =
bgColor=3D#000000=20
background=3Dhttp://www.cexx.org/graph0.gif><!-- #SiteWide BEGIN =
NAME=3DBegging -->
<TABLE cols=3D1 width=3D"100%" bgColor=3D#005300>
  <TBODY>
  <TR>
    <TD>
      <DIV align=3Dright><B><FONT face=3DArial,Helvetica color=3D#cccccc =
size=3D-1>Your=20
      generous <A href=3D"http://www.cexx.org/money.htm">donations</A> =
help keep=20
      this site online! <A=20
      href=3D"http://s1.amazon.com/exec/varzea/pay/T1QGGCP4GI2UXO"=20
      target=3D_blank>Click here</A> to support=20
  cexx.org.</FONT></B></DIV></TD></TR></TBODY></TABLE><!-- #SiteWide END =
Begging -->
<CENTER><FONT face=3DArial,Helvetica><FONT size=3D+1>What is=20
RPCSS.EXE?</FONT></FONT></CENTER><!-- Begin visible author / file info =
-- transitioning to a Perl-based guest-page-formatter -->
<P><BR>
<TABLE cols=3D1 width=3D"100%" bgColor=3D#333333>
  <TBODY>
  <TR>
    <TD><B><FONT face=3DArial,Helvetica><FONT size=3D-1>Written by: =
Patrick=20
      Chipman &lt;<!-- Include via spam-blocking script -->
      <SCRIPT language=3Djavascript>=20
  <!--=20
   =20
    var myname=3D"pchipman";    =20
    var myhost=3D"conceptsyndicate.com"; =20
    var myaddy=3Dmyname+"@"+myhost;=20
    document.write("<a href=3D\"mailto:"+myaddy+"\">"+myaddy+"</a>");=20
   =20
  //-->=20
 </SCRIPT>
       &gt;</FONT></FONT></B></TD></TR>
  <TR>
    <TD>
      <DIV align=3Dright><B><FONT face=3DArial,Helvetica><FONT =
size=3D-1>Created April=20
      17 2001, modified April 17=20
2001</FONT></FONT></B></DIV></TD></TR></TBODY></TABLE><!-- End visible =
info --><!-- Beginning of file contents --><FONT=20
face=3DArial,Helvetica><FONT size=3D-1>
<P>Coming from a heavy Windows NT development background, I can shed =
some light=20
on what rpcss.exe is actually doing. RPC is short for Remote Procedure =
Call; it=20
is a means by which two programs can call each other's publically =
available=20
procedures over a network, and is nothing new (in fact, UNIX systems =
have had=20
this in sunrpc/portmap for years). While RPC is not, by its nature, =
connected to=20
any particular service and a program can handle RPC on its own, the =
Win32 API=20
upon which Windows NT and 9x are based provides a series of RPC function =
calls=20
which are handled by (you guessed it!) rpcss.exe. Originally, Windows =
9x's=20
Winsock service didn't provide RPC, so rpcss.exe was redistributed with =
the new=20
Winsock that comes with newer Microsoft applications.=20
<P>In any event, what rpcss.exe does is to handle a number of API calls =
that=20
relate to RPC. In general (and this is somewhat of a simplification to =
prevent=20
techie talk overload), a program can register certain entry points (the=20
"procedures" in remote procedure call) that can be accessed by external=20
applications. This is known as the "portmapper" function. Once =
registered,=20
anyone contacting the RPC port and asking, in the appropriate format, =
for a=20
particular function provided by a particular program will be allowed to =
execute=20
the function. Any security checks are up to the contacted program, as =
all the=20
portmapper does is to make the necessary procedure call on behalf of the =
client.=20

<P>"WAIT JUST A MINUTE," you scream as your face turns red. "You mean =
ANY=20
program can ask ANY OTHER program on MY MACHINE to do something for it =
WITHOUT=20
MY KNOWLEDGE?" The sad truth is that, yes, this is true, and yes, this =
has been=20
a constant source of security flaws in UNIX systems as such-and-such RPC =
service=20
has this unchecked buffer or that improper security check which allows =
any=20
remote user with the proper script to gain full control of the machine. =
Since no=20
such flaws have been found in the rpcss.exe portmapper proper -- =
probably=20
because no one's really looked -- the real threat comes from the =
programs that=20
utilize the portmapper. Unlike UNIX, however, very few Windows programs =
use RPC;=20
hell, most Windows 9x programmers aren't even aware that RPC exists, and =
RPC as=20
a direct communications method is being replaced by DCOM and COM+ (which =
can,=20
but do not necessarily, use RPC) in Windows 2000. Therefore, the =
likelihood of=20
you even having a portmapped program on Windows 9x is extremely low, and =
thus=20
the risk that RPC presents is also quite low.=20
<P>On Windows NT/2000, the situation is somewhat different. One of the =
nice=20
features of the operating system is the ability to remotely administer =
machines.=20
All of these features -- and, in fact, all of the administrative tools =
and,=20
really, all communications between services and the user -- are based on =
RPC and=20
flow through rpcss.exe. The intimate connection between services and =
their=20
front-ends using RPC means that the operating system requires RPC, even =
more so=20
than a UNIX OS. If you doubt this, simply try a test: open up Task =
Manager,=20
click the Processes tab, and kill rpcss.exe. The fact that you usually =
get an=20
Access Denied error is very telling about the importance of this =
metaservice to=20
the machine. If you do manage to kill it (lucky you) or accidentally =
crash it,=20
you'll notice something interesting -- namely, that you cannot use the =
network,=20
that most control panels do not work, and that none of the =
administrative tools=20
work either. This is the direct result of Windows NT being a =
client-server=20
operating system; due to this, a standard means of interprocess =
communication=20
between userspace and kernelspace is required, and Windows NT's =
designers chose=20
to make this linkage through RPC. The upshot of all of this is that, as =
has been=20
stated before, rpcss.exe is critical to operation of Windows NT. =
Deleting it=20
will completely disable your system -- or at least severely hamper it. =
(You can,=20
of course, use your Emergency Repair Disk, your Setup boot disks, and =
the CD to=20
recover the file using the Repair option in setup, assuming you haven't=20
installed too many service packs.)=20
<P>Knowing all of this, some might be wondering about the possibilities =
of=20
spyware or other Trojan horses using RPC to perform tasks for their =
nefarious=20
masters. While this is certainly a possibility, it is pretty unlikely =
for two=20
reasons. First, as I mentioned before, RPC is a UNIX form of =
interprocess=20
communication and is really only used by Windows NT programmers. As a =
result,=20
the average spyware author is probably unaware of how to use it or =
unaware of=20
how to use it properly. Second, RPC is a very noisy protocol that uses a =
lot of=20
bandwidth. The above-average Trojan horse authors will not use RPC for =
this very=20
reason, as a well-trained eye watching a network monitor can easily spot =
RPC=20
traffic and such traffic is easily deciphered. In addition, many =
firewalls block=20
RPC traffic anyway, just in case you happen to be running UNIX behind =
the=20
firewall.=20
<P>So, to sum things up in Q&amp;A format:=20
<UL>
  <LI><I>Is rpcss.exe a Trojan horse?</I> No. It's a server that =
provides RPC=20
  capabilities to the Windows operating system.=20
  <LI><I>Is rpcss.exe a security hole?</I> The program itself is not =
known to be=20
  a security threat. However, like its UNIX brethren, it does provide a =
gateway=20
  through which security holes in programs that use it can be exploited. =
RPC,=20
  like most other IPC protocols, is only as safe as the programs that =
utilize=20
  it.=20
  <LI><I>Can rpcss.exe be exploited by a malicious software author?</I> =
Yes, but=20
  again, this has nothing to do with the program and more to do with =
what it=20
  does (namely, providing an IPC service). However, a smart author won't =
use it=20
  and will instead use "quieter" and lower bandwidth methods to keep his =

  software hidden. A dumb author will probably be unaware of its =
existence.=20
  Either way, its abuse potential is pretty low.=20
  <LI><I>What could an exploit using rpcss.exe do?</I> On Windows 9x, if =
the=20
  author could plant a program that registers itself with the portmapper =

  (rpcss.exe) and communicate with it remotely, it would have unlimited =
access=20
  to the machine. In other words, you'd have a full-blown Trojan horse =
on your=20
  hands, albeit one that would be very easy to detect. On Windows =
NT/2000, the=20
  program would probably have to be a service and its powers would be =
limited=20
  based on the account under which it runs. In all likelihood, it would =
have to=20
  be installed by a member of the Administrators group to have any =
effect at=20
  all, although a lesser program (spyware, perhaps) could load itself =
for each=20
  user and register itself with the portmapper. In the end, RPC simply =
provides=20
  a conduit by which clients can execute predefined code on a server. Of =
course,=20
  a nasty programmer could conceive of a way to execute arbitrary code =
using=20
  RPC, but that's an exercise left to the reader (hint: think assembly=20
  language).=20
  <LI><I>Should rpcss.exe be deleted?</I> No. Under Windows 9x, a =
program may=20
  need it to communicate with other components of itself. Of course, you =
could=20
  delete the program, but various unpleasantries could result. Under =
Windows=20
  NT/2000, deleting this critical system component will disable your OS=20
  (although I believe Windows 2000's system file protection service will =

  automatically replace it with a backup). </LI></UL></FONT></FONT><!-- =
End file contents here --><!-- Author link includes --><!-- End author =
link includes -->
<HR noShade>
<!-- Navigation segment -begin -->
<SCRIPT language=3DJavaScript =
src=3D"http://www.cexx.org/rollover.js"></SCRIPT>

<TABLE cols=3D2 width=3D"100%">
  <TBODY>
  <TR>
    <TD>
      <DIV align=3Dright>&nbsp;<A=20
      onmouseover=3D"rollover('up', 'up_anim.gif'); return true;"=20
      onmouseout=3D"rollover('up', 'up_main.gif'); return true;"=20
      href=3D"http://www.cexx.org/adware.htm"><IMG height=3D74 =
alt=3DSpyware=20
      src=3D"http://www.cexx.org/up_main.gif" width=3D32 border=3D0=20
      name=3Dup></A>&nbsp;</DIV></TD>
    <TD>
      <DIV align=3Dright><A=20
      onmouseover=3D"rollover('home', 'home_anim.gif'); return true;"=20
      onmouseout=3D"rollover('home', 'home_main.gif'); return true;"=20
      href=3D"http://www.cexx.org/main.htm"><IMG height=3D40 alt=3DHome=20
      src=3D"http://www.cexx.org/home_main.gif" width=3D29 border=3D0=20
      name=3Dhome></A>&nbsp;<A=20
      onmouseover=3D"rollover('mail', 'mail_anim.gif'); return true;"=20
      onmouseout=3D"rollover('mail', 'mail_main.gif'); return true;"=20
      href=3D"http://www.cexx.org/email.htm"><IMG height=3D29 =
alt=3DE-mail=20
      src=3D"http://www.cexx.org/mail_main.gif" width=3D37 =
align=3DABSCENTER border=3D0=20
      name=3Dmail></A>&nbsp;<A=20
      onmouseover=3D"rollover('disclaim', 'led_anim.gif'); return true;" =

      onmouseout=3D"rollover('disclaim', 'led_main.gif'); return true;"=20
      href=3D"http://www.cexx.org/disclaimers.htm"><IMG height=3D26=20
      alt=3D"Copyrights and Disclaimers" =
src=3D"http://www.cexx.org/led_main.gif"=20
      width=3D37 align=3DABSCENTER border=3D0=20
name=3Ddisclaim></A></DIV></TD></TR></TBODY></TABLE><!-- Navigation =
segment -end --></BODY></HTML>

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://www.cexx.org/up_main.gif

R0lGODlhIABKAPcAAAAAAAAAAQAAAgAAAwAABAAABQAABgAABwAACAAACQAACgAACwAADAAADQAA
DgAADwAAEAAAEgAAEwAAFAAAFQAAFgAAFwAAGAAAGQAAGgAAGwAAHAAAHQAAHgAAIAAAIQAAIgAA
IwAAJAAAJgAAJwAAKAAAKQAAKgAAKwAALAAALgAALwAAMQAAMgAAMwAANAAANQAANgAAOAAAOgAA
OwAAPAAAPQAAPgAAPwAAQQAAQgAAQwAARAAARQAARgAARwAASgAASwAATQAATgAAUQAAUgAAVAAA
VQAAVwAAWAAAWQAAWgAAWwAAXAAAXQAAXgAAXwAAYAAAYgAAYwAAZQAAZgAAZwAAaAAAaQAAagAA
bAAAcAAAcQAAcgAAcwAAdAAAdwAAegAAewAAfAAAfQAAfgAAggAAgwAAhQAAhgAAiAAAigAAjAAA
jQAAjwAAkQAAkgAAlAAAlQAAlgAAlwAAmAAAmQAAmgAAmwAAnwAAoAAAoQAAogAApAAApQAApwAA
qgAArQAArgAArwAAsAAAsgAAswAAtAAAtQAAtgAAuQAAugAAuwAAvAAAvwAAwAAAwQAAwgAAxAAA
xQAAxgAAxwAAyAAAyQAAywAAzAAAzwAA0QAA0gAA0wAA1QAA1wAA2AAA2QAA2v///0YAAAAAAHQA
A88AA+ciNAABFwAPYBev5zV7vAAXdwAPYLnsLBzhYLnsKAAPYLnrkPQAALns2PuM+PcT4rnsTBzh
8LnsSMwLMLnrtLnsLLns2PuM+PcT4gABN+wacxzh8GKmyLnsTLnsTBzh8LnsFOwXaRzh8GKmyLns
TBzh8AAAAAAAA8xj0Mxj0LnsOEkIogAAALnsREAdQcxj0Mxj0LnsVEj4+veYt/eYz17CiMxj0AAR
kQQj2Mxj0AATzwAACcxj0APReEAbkMxgAESV1cxj0GMboGMboEUEtf8AAMxiEKUADAAAAAAAAEzs
1Ezs1Ezs1Ezs1MxiEAAAAUtY48xijAAAAAAAAAAAIEAQGEAQGAAAAiH5BAEAAKMALAAAAAAgAEoA
AAj+AEcJHEiwoChRBRMqXDjwEyhQoRhKZMipk6dPEzMWxJRJEyeNIB05gkQp0yaQGQkROsRIUiaU
E/Xo8SNo0SSYDOO0aRNHj6BGlnAqPBMmzJk3fAxFElrwDJcrV7icmQOo0SWmA79MSZJkypc1exDd
xDrKihEgQIxYKUMnkCOyXZb8sGHjx5IubfwoqoTVypAaLVrUGGLFDJ5CS5k24dGiRIkWPJqAgVOV
qZYiM0p48FBiRhEtavYkoiRUyg8WHzBg+MDihxQydQY9EprkhgkNEiRoMHEjyRc3fxjhzDIEBggK
Dx5QAAFjSJY0esTCjNJDxQYICxZA2KCiRxQydAT+zQbZBYmNEhYaIEDQwEIJG0i6AF8UVCMWIS8+
SFBgwIACCR+8IAQWaORxiCQgPcGDCho8gAABBCDwgAYq8PCEGHK4pREXRtAwQgUMGDDAAAYwUMEI
NBjBBRt97JURFUG44EEECRAggAAEJBCBBy4EQYVhiGXERA4oZPDAAQPcOMABD2SAQg5MTFaZRFoQ
IYMIFCxQwAABBDBAAQtQIIIMRIAmGmkMSeHDChxAkECSXQowQAIQcLCCD6/FNt5CtZVwQQMidtkl
iQ1cUEJvvwXHEHEwfDCBAjYKGgCOCkzwQXPPRTdWQtRZ5yCcgsopIXfegSeeQuWdl16gknppQHv+
78U3X30E3ZefBDUK0OqkOQIoIIEGIliQggx+qmurok5Y4YUZvkUQhx6CyGoAAAAgKIkmoqgiiy4O
BKOMNEbaZbWh5rhjjz8elphAQxZ5JKjUWhvnkk0+GSVljQxU5ZVZbiloteQOCqaYZJo5mkBqsukm
vADLO+mcdd6Zp2yjeNHnn9PGG/CgrxramxfzXcIoCI8WcOy4AEsqQAGVMudcgQdG4YN1C5+sscMP
08mdD1GMMUcgew4E780qDyBhBidkRACX/6Z8bY5NlpCRiCc3HCqJCkSwAQoZJbDlsVY/XEACD1wQ
QgsZOfAg2E7jiIADFHygwg0ZSbAAq2GTuID+BB2kUIMQGWFgLNHJYkCCDEE8kVEH4epqNY46drDC
DkpskdFxWjqe8sphghCDEFWUkdGHDJhMeAHZ0nDEFmtk5CegmpMrQMcl4LAEGG9kdAIGsBP+KgYn
5OBEGHJkhALvBsRu7ewNYICCDk+QYYfxyCs/6e8o7ACF9NT3/jj22nM/0fHebw7+9tOPX73vzWeP
fvfJs+98+OlLRH7837dPP/zWMz//++orn+zOJz77rS9//ysgQ+7XPwLWb4EHNJ/+AGhAAS7PgfyT
n/sUuBAGanB/AcSfBBP4wA5GcIAT5KBCPIjADZZQISnIgAOQZDM5HcABGUhB+O6QkRQ0CAEQI7qR
kow2oRTw4Ds8LEhAAAA7

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://www.cexx.org/home_main.gif

R0lGODlhHQAoALMAAAAAAABjAIAAAP//////////////////////////////////////////////
/////yH5BAEAAAIALAAAAAAdACgAAASPUMhJq70406A75t4VgBMZbgBgnlaQpuA4soL7wjV+2jds
rxleD6brCIdEYAuJnGmOzJeyFI1OodUbEJvVorpZkmxMLpvF4DA1bV2zm+53Dy0f0uteCfd9P4/U
elJMe0U8XIQqboeAOURNjIaDkIJzKpOOdpeWj1V9kp2Kn22BmJWgpJuZpzV+rWU0sLEZEQAAOw==

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://www.cexx.org/mail_main.gif

R0lGODlhJQAdALMAAAAAAAAdAAAnAAAyAAA8AABEAABMAABXAABnAAB5AACIAACYAACmAAC4AADK
AP8AACH5BAEAAA8ALAAAAAAlAB0AAARr8MlJq7046827/2AojmRpnmiqruyEvHAsz7RMIcAL7Hzv
/z0d4sbTAY8+Y44YxCGByt3QBXU+c9Ygs5ptIqeSbrUYhRJj3/J3e20nzzT3miqvL6lx+w/8EOuP
fH5/e2yDgDc1iYo2LY0gEQAAOw==

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://www.cexx.org/led_main.gif

R0lGODlhJQAaALMAAAAAAABjAAgIhL4CAv//////////////////////////////////////////
/////yH5BAEAAAAALAAAAAAlABoAAARFEMhJq7046827/2AojmRpnmiqrlhguWwAT7Mq13V6zzm6
w73TzxU0DWWdo3LJRIKULMBQGv1JiqUdreq8citYUi8c3UQAADs=

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://www.cexx.org/graph0.gif

R0lGODlhFAAUAIAAAAAAAABAACwAAAAAFAAUAAACJoyPqcDt7wKcUNILLJ56v+41YJiRnxmhosqM
oevBm4zRl03hHAsUADsNCg==

------=_NextPart_000_0000_01C29167.A9CA9480
Content-Type: application/octet-stream
Content-Transfer-Encoding: 7bit
Content-Location: http://www.cexx.org/rollover.js

// preload the rollover images, after originals have been loaded.
if (document.images) { 
left = new Image; 
left.src = "rarrow_anim.gif"; 
right = new Image; 
right.src = "larrow_anim.gif"; 
home = new Image;
home.src = "home_anim.gif"
mail = new Image;
mail.src = "mail_anim.gif"
links = new Image;
links.src = "sphere_anim.gif"
}




function rollover(off, on) {
  if (document.images) {
     document[off].src = on;
      }
  } 


------=_NextPart_000_0000_01C29167.A9CA9480--